Independent security researchers should be exempted under India’s new data protection law

The data protection committee in India has the challenging task of balancing people’s rights, government surveillance and economic interests.

The government of India constituted a data protection committee last August under the chairmanship of Justice B.N. Srikrishna to make recommendations for a draft data protection law to protect people from being harmed in cyberspace. The committee is inviting public comments on the white paper released by them, and asks more than 200 questions. Several submissions have been made to the committee in public consultation meetings in Delhi, Hyderabad and Bengaluru over the last two weeks. The deadline for submissions is the end of this month.

Everyone from the information technology industry is concerned how their businesses might be affected with such a data protection law, and the cost of following regulatory compliances. While a fine balance has to be maintained to allow technology to be used for improving society and the planet at large, the human cost of such a technology needs to be debated clearly while anticipating future issues. The white paper does not address several issues around data like ownership, encryption, algorithms and classification of data apart from personal and sensitive data.

The debate on technology has been long due in our society. Most startups that want to become market leaders in emerging technologies see regulations as a hindrance to business. Investors recommend the Uber way to accelerate growth by breaking laws, but the law always catches up, leading to more scrutiny and severe punishments for gaming the system. Regulations can also bring stability in markets by controlling them effectively. Exceptions can be made, but only in controlled environments.

Interestingly, the white paper does look into exemptions that can be given for journalistic, literary, and household purposes. The FIR against the Tribune journalist by UIDAI clearly highlights the need for such exemptions.

I have received similar legal notices from UIDAI for estimating publicly available Aadhaar numbers and related personal demographic data at 130 million. Justice Srikrishna was requested to consider exemptions for independent security researchers, who may not be associated with any research/academic institution and are pointing out loopholes in the Aadhaar system.

There was an uproar against the recent UK draft data protection bill with sections penalising security researchers who de-anonymised anonymised data. Lord Ashton of Hyde has moved amendments to the draft protection bill to protect security researchers if they conduct research in public interest and report their findings in no less than 72 hours.

It states:

“The first condition is that the person acted— (a) with a view to testing the effectiveness of the de-identification of personal data, (b) without intending to cause, or threaten to cause, damage or distress to a person, and (c) in the reasonable belief that, in the particular circumstances, re-identifying the information was justified as being in the public interest.

“The second condition is that the person notified the commissioner or the controller responsible for de-identifying the personal data about the re-identification— (a) without undue delay, and (b) where feasible, not later than 72 hours after becoming aware of it.”

There seems to be a larger consensus on not giving any blanket exemptions to the police and intelligence authorities. Judicial due process will have to be followed, and no executive can take decisions on their own.

In the past, the Bengaluru Police has published at least 13,000 call data records of potential suspects for a hackathon. The Hyderabad Police was publishing names of rape victims, which they are not supposed to store in the first place.

The data protection committee in India has the challenging task of balancing people’s rights, government surveillance, and economic interests to come up with a framework which satisfies everyone. Everyone has to make small sacrifices for things to move ahead in the larger interest of the society.

Srinivas Kodali is interdisciplinary researcher working on data, cities and the internet.